Can Berk Güder cbguder

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output

	# note that this only works with some Yubikeys -- I have confirmed that it works
	# fine with my Nano, and it should also work with the NEO, and as is documented
	# here by Yubico: https://www.yubico.com/blog/yubikey-keyboard-layouts/

	# first, install the ykpersonalize tool:
	$ brew install yubikey-personalization

	# next, we run the yubikey tool to update its internal keyboard scan map to Dvorak:
	$ ykpersonalize -S0c110b071c180d0a0619130f120e09378c918b879c988d8a8699938f928e89b7271e1f202122232425269e2b28

	@implementation UITextView (RSExtras)


	static BOOL stringCharacterIsAllowedAsPartOfLink(NSString *s) {

	/*[s length] is assumed to be 0 or 1. s may be nil.
	Totally not a strict check.*/

	if (s == nil \|\| [s length] < 1)
	return NO;

	# Uncrustify 0.60
	newlines = auto
	input_tab_size = 4
	output_tab_size = 4
	string_escape_char = 92
	string_escape_char2 = 0
	tok_split_gte = false
	utf8_bom = ignore
	utf8_byte = false
	utf8_force = false

	#
	# Uncrustify Configuration File
	# File Created With UncrustifyX 0.2 (140)
	#

	# Alignment
	# ---------

	## Alignment

	#import <UIKit/UIKit.h>

	@interface UIView (SMFrameAdditions)

	@property (nonatomic, assign) CGPoint $origin;
	@property (nonatomic, assign) CGSize $size;
	@property (nonatomic, assign) CGFloat $x, $y, $width, $height; // normal rect properties
	@property (nonatomic, assign) CGFloat $left, $top, $right, $bottom; // these will stretch the rect

	@end

	#
	# uncrustify config file for objective-c and objective-c++
	#

	indent_with_tabs = 0 # 1=indent to level only, 2=indent with tabs
	output_tab_size = 4 # new tab size
	indent_columns = output_tab_size
	indent_label = 2 # pos: absolute col, neg: relative column
	indent_align_assign = FALSE

	# --------------------------------------------------------------------
	# Eller's algorithm for maze generation. Novel in that it only
	# requires memory proportional to the size of a single row; this means
	# you can generate "bottomless" mazes with it, that just keep going
	# and going and going, using not only constant memory, but little
	# memory in general.
	# --------------------------------------------------------------------

	# --------------------------------------------------------------------
	# 1. Allow the maze to be customized via command-line parameters